So you want maximum security for your email...

It shouldn't have been any surprise at all, but Edward Snowden's leaks of NSA information have raised awareness of the fact that our data in public clouds, like Gmail, is not entirely private. The government can get a warrant for it and the cloud company can (make that "has to") give them access to all your data. Or they can spy on the internal communications of the cloud provider and not bother with the warrant.

So what can you do? For a very long time you've been able to use PGP (Pretty Good Privacy) and similar software to make encryption end-to-end, so that only you and the person with the right encryption key can see the contents. Everyone else only sees "ciphertext" which is only crackable with an inordinate amount of time and computing resources.

PGP has always been the gold standard for privacy in email, but notorious for poor usability. The idea of End-To-End is that by implementing PGP inside Chrome, it can be made easier to use.

One big usability barrier for PGP is that it relies on a trust model called the "web of trust," illustrated here. Everyone has to trust people specifically and keep track of who they trust and what their keys are, although they can make trust transitive by signing someone else's key: If Alice signs Bob's key, they anyone who trusts Alice will trust Bob.

If this sounds complicated, that's because it is. Can Google make it easy? If not, it may not matter.

Mailvelope integrates into these webmail user interfaces, but it has to be careful how it does so. It can't let the servers gain access to unencrypted data, so it launches its own UI in which the user composes and/or edits email, picks the recipients and encrypts (or merely signs) the message.

(Image Mailvelope)

Published: June 5, 2014 -- 13:00 GMT (06:00 PDT)

Caption by: Larry Seltzer

First, cut some keys

Before you use any PGP system you have to generate a public/private key pair, which Mailvelope makes easy. You provide a passphrase which Mailvelope uses to control access to the private key in the Key Ring, more about which on the next page. The public key, as the name implies, needs no security, and in fact you want everyone to have it.

You can view the private key if you want, but it's not usually necessary. And if you don't know what it looks like then you can't give it up if you get captured and they torture you.

(Image ZDNet/CBS Interactive Inc.)

Published: June 5, 2014 -- 13:00 GMT (06:00 PDT)

Caption by: Larry Seltzer

Key Ring

You might have several keys for various accounts of your own or want to keep the public keys of those to whom you want to send messages. When you generate keys, Mailvelope puts them in the Key Ring, or you can import the keys of others. Access to the Key Ring is controlled by a passphrase; two-factor authentication would be a really good option here.

(Image ZDNet/CBS Interactive Inc.)

Published: June 5, 2014 -- 13:00 GMT (06:00 PDT)

Caption by: Larry Seltzer

Composing an email

When you want to compose an email, you can't trust the webmail interface windows because they are in the provider's domain. Mailvelope puts a button on the UI that you can use to start a Mailvelope message session in a local window, showed here.

Other buttons allow you to select the keys of recipients with which to sign the message, and to encrypt it.

(Image ZDNet/CBS Interactive Inc.)

Published: June 5, 2014 -- 13:00 GMT (06:00 PDT)

Caption by: Larry Seltzer

The encrypted message

After you encrypt the message in the Mailvelope window, you press a button which transfers the encrypted contents to a compose window for the webmail system. This image is a Gmail window. You enter the recipient(s) and a subject line.

Notice that the contents of the message are encrypted and none of the body is usable by someone without a key. The recipient(s) and subject line are in clear text though. It will remain like this, at the hosting provider, at any other server and on the wire, until the message is received by a user who uses PGP or Mailvelope or some other compliant program to decrypt it.

The fact that the recipients and subject are not encrypted (and, because of the way SMTP works, can't be) is a potential vulnerability for the system, if the user is not careful. An outsider can still determine who is emailing whom, what the subject lines are and anything else in mail headers.

(Image ZDNet/CBS Interactive Inc.)

Published: June 5, 2014 -- 13:00 GMT (06:00 PDT)

Caption by: Larry Seltzer

Received and decrypted

Here we see the recipient, using Outlook.com, after having decrypted the Mailvelope message using a UI similar to that used on the Gmail side to encrypt it. A signature is also present, allowing the user to verify the identity of the purported sender.

Compared to ordinary email, this system is highly complex, even though it is a very simplified version of PGP. There are more polished interfaces built as plugins for Microsoft Outlook, but none of the free/open source products are near usable enough.

Six Clicks: Encryption for your webmail

Those who want maximum privacy for their email have a tough time using difficult software. Google is attempting to do better with Gmail, but there's already a decent webmail solution.

Read MoreRead Less

So you want maximum security for your email...

It shouldn't have been any surprise at all, but Edward Snowden's leaks of NSA information have raised awareness of the fact that our data in public clouds, like Gmail, is not entirely private. The government can get a warrant for it and the cloud company can (make that "has to") give them access to all your data. Or they can spy on the internal communications of the cloud provider and not bother with the warrant.

So what can you do? For a very long time you've been able to use PGP (Pretty Good Privacy) and similar software to make encryption end-to-end, so that only you and the person with the right encryption key can see the contents. Everyone else only sees "ciphertext" which is only crackable with an inordinate amount of time and computing resources.

PGP has always been the gold standard for privacy in email, but notorious for poor usability. The idea of End-To-End is that by implementing PGP inside Chrome, it can be made easier to use.

One big usability barrier for PGP is that it relies on a trust model called the "web of trust," illustrated here. Everyone has to trust people specifically and keep track of who they trust and what their keys are, although they can make trust transitive by signing someone else's key: If Alice signs Bob's key, they anyone who trusts Alice will trust Bob.

If this sounds complicated, that's because it is. Can Google make it easy? If not, it may not matter.